Re: pf vs ASIC firewalls
Hi all, Checkpoint guys wrote an article on checkpoint based firewalls vs Asic firewalls. You can find it here: http://www.checkpoint.com/promoforms/downloads/Specialized_Hardware_WP.pdf I do not agree upon all their visions here, but my opinion doesn't matter. Neither do i believe their software is free of giant and fully implented locking, same story for ipso on nokia machines. I believe this is necessary on content level fw's to remain performing well. And ... what exactly is the difference between proprietary os'ses and commercial software who don't publish their source? Bye, Mipam.
Re: pf vs ASIC firewalls
On 17 Mar 2005 03:58:26 -0800, [EMAIL PROTECTED] (Henning Brauer) wrote: All of that said, I wonder if there isn't some way to implement something vaguely PF-ish in an FPGA that would allow more control over the rulesets than an off-the-shelf ASIC. there likely is... I mean, state table and state table lookups in hardware, hand off ruleset processing to the main CPU, that would rock. If done right. Be interesting to see if that was possible using commodity offload hardware such as that found in http://www.nvidia.com/object/feature_activearmor.html greg -- Delenda est Carthago
Re: pf vs ASIC firewalls
* Greg Hennessy [EMAIL PROTECTED] [2005-03-17 19:31]: On 17 Mar 2005 03:58:26 -0800, [EMAIL PROTECTED] (Henning Brauer) wrote: All of that said, I wonder if there isn't some way to implement something vaguely PF-ish in an FPGA that would allow more control over the rulesets than an off-the-shelf ASIC. there likely is... I mean, state table and state table lookups in hardware, hand off ruleset processing to the main CPU, that would rock. If done right. Be interesting to see if that was possible using commodity offload hardware such as that found in http://www.nvidia.com/object/feature_activearmor.html well that is just marketing bullshit as far as i can tell -- Henning Brauer, BS Web Services, http://bsws.de [EMAIL PROTECTED] - [EMAIL PROTECTED] Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
Re: pf vs ASIC firewalls
On Mon, 14 Mar 2005 15:33:02 +, Ryan McBride [EMAIL PROTECTED] wrote: On Mon, Mar 14, 2005 at 03:50:23PM +0530, Siju George wrote: Could Someone please tell me the advantages of PF against Firewalls using the ASIC technology in terms of Security and perfomance?? If there is a bug in pf, we'll tell you, and you can apply a patch. If there is a bug in your ASIC, and the vendor tells you at all, there are two options: go back to doing the packet processing in the underpowered CPU, or replace the hardware. Thankyou so much Ryan for replying to this message and thankyou so much for al your efforts on this project :))) I saw this http://www.juniper.net/support/security/alerts/screenos-sshv1-2.txt so there they provide a way to upgrade the OS withou replacing the firewall. mainly I put this post because of this new news being spread around that ASIC firewalls can have good perfomance where firewalls like PF fails when there is heavy traffic. It made me wonder whether the perfomance of ASIC firewalls were brought about at the cost of some security? thank you so much once again for the reply :))) kind regards Siju
pf vs ASIC firewalls
Hi all, Could Someone please tell me the advantages of PF against Firewalls using the ASIC technology in terms of Security and perfomance?? I happened to hear the following Netscreen is running in ASIC (they are boasting in their marketing) - and thus probably only is checking the first (or first few) packages and then handing all traffic control off to dumb packet shoveling hardware. So probably no checks later in the protocol. Similar problem with CheckPoint's fastpath option, btw. Thankyou so much kind regards Siju
Re: pf vs ASIC firewalls
On Mon, Mar 14, 2005 at 03:50:23PM +0530, Siju George wrote: So probably no checks later in the protocol. Similar problem with CheckPoint's fastpath option, btw. 1) check point fw-1 is software, not hardware. 2) the fastpath option hasn't been around since 4.0 (and has always been deprecated). 3) in NG--all packets pass through the deep inspection filter engine (even if you enable the securexl acceleration feature). -j -- Beer. Now there's a temporary solution. --The Simpsons
Re: pf vs ASIC firewalls
On Mon, Mar 14, 2005 at 03:50:23PM +0530, Siju George wrote: Could Someone please tell me the advantages of PF against Firewalls using the ASIC technology in terms of Security and perfomance?? If there is a bug in pf, we'll tell you, and you can apply a patch. If there is a bug in your ASIC, and the vendor tells you at all, there are two options: go back to doing the packet processing in the underpowered CPU, or replace the hardware.
Re: pf vs ASIC firewalls
Could Someone please tell me the advantages of PF against Firewalls using the ASIC technology in terms of Security and perfomance?? Many (most? all?) vendors shipping what they call ASIC firewalls are actually running software on a network processor (NPU). The benefit is that most NPUs will process packets in real-time so if they claim to support X gigabit per second then they can probably sustain that even with minimum sized 64byte ethernet frames; a PF box doesn't stand a chance with that high of a pps rate. The down side to NPUs is that they have to service every packet in a fixed amount of time so they can't do much. They need to have fixed sized state and fragment reassembly tables. They also aren't allowed to do much work per packet. You will also be able to surf Moore's law better with a normal x86 processor than with an NPU. Technically, your intel processor is an asic too. .mike I happened to hear the following Netscreen is running in ASIC (they are boasting in their marketing) - and thus probably only is checking the first (or first few) packages and then handing all traffic control off to dumb packet shoveling hardware. So probably no checks later in the protocol. Similar problem with CheckPoint's fastpath option, btw. Thankyou so much kind regards Siju